SSL Review

A quick review on how SSL works. You type a name into your web browser (i.e. www.mycompany.example), the web browser connects and verifies that the certificate that is presented is signed by a trusted party and that the name matches the requested name. Should any of these checks fail, you get a nasty-gram from your browser. In the past this required a single SSL certificate per IP address, but Server Name Indication (SNI) makes it possible to attach multiple SSL certificates to a single IP address as long as the client supports SNI.

Traditional Cert

A traditional certificate only contains a single name.

store.mycompany.example

Wildcard Certs

A wildcard cert replaces a single name with a wildcard character. Browsers will treat the “*” character as any valid name.

*.blog.mycompany.example

Subject Alternative Names

SAN cert are similar to a traditional SSL cert with the added bonus that you can provide a list of “alternative” names that are valid. For example a SAN cert could be limited to only the following names

What type of cert to use

These examples highlight my recommendations for what type of certificate to use. Sites that transact sensitive date (i.e. SSN or CCN) should have their own certificate. Sites that have a low level of security and a high number of names would benefit from a wildcard certificate. A middle ground would be a SAN certificate. When using SAN certs it is best to group together by organization or security classification.

How to consolidate services

The above should help in reducing the number of certificates that you have. If you want to further reduce the number of IP addresses that you’re using for your sites please read my companion article on Routing HTTP by request headers. There's also another DevCentral article about SSL Profiles that you can learn more about SSL.

The distinction that I was making with wildcard certs is that they will match more names than a traditional / SAN cert. The best analogy I can think of is an ID card that said a person was from Virginia vs. named John Smith. Saying a person is from Virginia is valid, but could apply to many people vs. named John Smith is more precise. I would trust the more precise identifier.

0

About DevCentral

We are a community of 300,000+ technical peers who solve problems together.